#WannaCry, now what?

It was supposed to be a nice weekend, but for many people working in IT and security organizations, last weekend turned out to be a nightmare. A self-replicating ransomware going by the name of WannaCry hit several hundreds of thousands of computers worldwide, many of them in large organizations – the NHS, Renault, and Telefonica have been mentioned in the news. Every time such an attack makes it to the headlines, the priority for IT and security people is to manage the crisis: contain the spread, eradicate the worm, and resume normal business operations. This can take hours or days (and nights), sometimes longer, but hopefully everything is back to normal before the next one hits.

Time to reflect

Then, if time permits, should come the time to reflect. Whether or not the organization was hit by this one, it’s pretty sure that there will be a next one. How can we prevent it or at least limit its foreseeable impacts. What kind of short-term protections can we put in place, but also mid-term measures – compatible with budgeting. Are we in the position to prevent these attacks, or just to mitigate their consequences. Answering these questions requires to understand what makes our IT systems vulnerable to this kind of attacks and therefore to understand how they work.

Anatomy of an attack

Most viruses share some common facts.

They execute code on our machines: some destroy data, some use our permissions for other purposes (to spread, to make transactions with our money, to get our data, to send traffic to targets…), and now, some even ransom us. Ransomware is on the rise in part due to anonymous currencies such as bitcoins.

Ransomwares encrypt files on any file system that they have access to: the machine they have infected, but also external drives connected to it and possibly file servers (although for the time being Linux servers are less impacted).

Their code arrives on machines via email most of of the times, since we hardly use external drives any longer to transfer files.

They are executed with the explicit consent of the user. Of course, for this, they have to find ways to trick him or her to authorize the installation or execution or edition of a file, and therefore to bypass the safeguards implemented by our programs and operating systems.

However, WannaCry (or some of it variants) seems to be different in the way in which it has infected machines because it used a vulnerability of a communication port (SMB). It could therefore infect machines connected to the Internet and to organizations’ local area networks without any action of the users.

A market mismatch?

While this last characteristic made WannaCry one of the most infectious viruses ever, it’s also worth noting that by relying on a vulnerability touching mostly older versions of Windows, it impacted primarily large organizations and industrial systems that were not running on the most recent, patched OS.

Whereas it had very serious operational consequences for these organizations – production stopped a full day in one of Renault’s manufacturing plants for instance – WannaCry largely missed its target as a ransomware, which is to get paid to provide a deciphering key.

Schematically, the same reason why impacted organizations were still running on older Windows versions – their size – made these organizations less likely to pay in order to get back access to their data: most larger organizations have backup systems in place, from which they could restore their data. For them, WannaCry was a huge operational annoyance, as any wide spreading virus would have been. But the sweet spot for a ransomeware is rather B2C and Small businesses. However, by using this method of infection, WannaCry partially missed it.

Preventing the attacks or minimizing the consequences?

There’s no definitive winner in this game, attacker against defender, because there’s no such thing as a total protection that you could implement and then go attend other businesses. So, even if you invest in protection solutions (anti-virus, anti-malware, threat detection based on big data analytics, deep machine learning, and artificial intelligence, or whatever the next trendy technology fitting your budget will be), you should also prepare for the event that they will get bypassed. Then, how can you minimize the impact of the next ransomware that will go undetected?

Sadly, if your files get encrypted by a ransomware, there’s no direct way to decipher them. Attackers use the same encryption algorithms – in particular AES – that we use to protect our data from attackers. These algorithms are secure, which means here that the best known method to decipher your files is to try all possible keys, which, given the size of the keys, might take tens of years or more with a large computer. It’s not an option. Also, if the attackers had a known place of business, we could in theory hack their system in return and get all the encryption keys that they have used. But, well, that’s not going to happen either and we can’t send the police where the ransom will be delivered: there’s no way to break the anonymity of the bitcoin system used to collect the ransoms.

Therefore, no, we can’t hack a ransomware unless the attacker did a very poor job, but we shouldn’t count too much on that. We should instead make sure that we don’t need to pay the ransom to get back access to our files.

How to get immune to a ransomware

The most obvious way would be to have no file on our computers and work only online in applications with web browsers. We’re probably much closer to this ideal than we were 10 years ago but realistically, there are still a lot of circumstances when we need the files on our machines: when we work offline, when we deal with contacts who expect us to send attachments, etc. Also, even if great progress has been made, the quality of online applications does not yet match that of local software.

At least, files on our computers should be thought of and managed as mere copies that we need temporarily locally, not as the originals. These originals should be kept somewhere else: in the Cloud thanks to a synchronization software, in a back-up system, etc. Of course, if our local files get encrypted and deleted, and if the synchronization or back-up is automated, this will impact the original files as well. This is why the back-up or Cloud storage system would need to store the files history, not just the last version, so that we can restore the originals, plain-text files.

Finally, most importantly, back-up or Cloud storage solutions should enforce multi-factor authentication such as inWebo’s in order that ransomwares and attackers cannot target them through badly protected dashboard or admin interfaces.

These simple measures would not diminish the operational annoyance of a ransomware in our organizations (or home), but at least it would make pointless the option to pay ransom.